[sword-devel] Doctrinal Statement
Michael Paul Johnson
sword-devel@crosswire.org
Sat, 29 Jul 2000 07:48:39 -0600
At 11:38 PM 7/28/00 -0700, Jerry Hastings wrote:
>At 05:48 PM 7/28/2000 -0700, Chris Little wrote:
>
>>I think some kind of signing system is needed, possibly built into the
>>module format itself. It may be time to update the sword module format to
>>include some new features. Perhaps all modules should be encrypted such
>>that they are only properly readable if they are unaltered, something like
>>using their own checksum as an encryption key.
>
>Yes. Something like that should be done. It should include some kind of revision info also, so one can tell if one has a copy that is behind in corrections/revisions. All of this kind of stuff should be in the module data, not in a separate file. One should not be able to remove this info without destroying the module. Also, a list of revisions for all known Sword modules should be shipped with Sword, so the install program can check previously installed modules to see if a better version exists. Unknown modules could still be used they just wouldn't produce any message about updates.
>
>But, all of this is open source. Can't anyone take a text edit it and build a module that will have valid security features at the local level? This why I think some optional remote security data is also good. Not required to run, but there for those that want to do a check.
I recommend just using external PGP signatures to validate modules. Anyone can sign a module, but not everyone can sign a module with my signature or Troy's signature. Besides, open source authentication software works, too, as long as you are careful where you get it. PGP is open source.
_______
Michael Paul Johnson
mpj@eBible.org http://ebible.org/mpj